Courts Grapple with Concept of “Harm” in Online Privacy Suits

The fundamental legal principle that only those who have been “harmed” can sue in U.S. courts is being put to the test by the ever-evolving, subjective concept of “privacy” in the equally organic online world.

U.S. Supreme Court rulings on so-called Article III standing reflect that a harm must be 1) concrete, particularized, actual, and imminent; 2) fairly traceable to defendant’s actions; and 3) likely redressed by a favorable decision. If a party fails to meet this test, the court will dismiss the suit for lack of jurisdiction.

Plaintiffs’ lawyers, eager to add online privacy “violations” to their lucrative book of business, have been advancing broad theories of injury through class action lawsuits. Their claims of harm routinely center around either emotional or economic injury. Those efforts so far, with a few exceptions, have met resistance from federal judges.

One suit purportedly brought on behalf of all Facebook users, for instance, argued that Facebook’s promotion of its “Friends Finder” feature – by displaying a person’s name and photo to another user – inflicted economic harm. Last month, a federal judge in California dismissed the claim for lack of standing. While agreeing that Facebook’s use of the name and photo had some economic value to the company, the judge held the plaintiff had no commercial interest in that information, and thus suffered no financial harm. It was especially hard for the plaintiff to claim harm, the judge added, when the “names and likenesses were merely displayed on the pages of other users who were already plaintiffs’ Facebook ‘friends’.”

In Low v. LinkedIn Corp., another federal judge addressed privacy-related claims of harm in both the emotional and economic contexts. The complaint alleged that LinkedIn’s practice of transmitting anonymous user IDs and browsing histories to third parties harmed the plaintiff (and thousands of other LinkedIn users). Judge Lucy Koh turned aside Low’s claims of personal humiliation, noting that he failed to allege what information was disclosed, how the third-party “de-anonymized” the anonymous data, and how it actually harmed him.

Low also claimed that his personal information has an independent economic value for which he was not compensated by the receiving third-party or LinkedIn. While acknowledging that Low may “theoretically have had some property interest” in his information, the court found his allegation was too “abstract and hypothetical” to support Article III standing. He did not, as the court put it, “allege how he was foreclosed from capitalizing on the value of his personal data.” She cited a number of analogous past court rulings which held that collection of personal data did not impose economic harm.

Judge Koh drew a sharp contrast between Low’s circumstances and those involved in a case Low cited as supporting his claim, Krottner v. Starbucks. In that case, a laptop containing Starbucks employees’ names, addresses, and social security numbers had been stolen. The Ninth Circuit found that “increased risk of future identity theft” and “generalized anxiety and stress” constituted injuries sufficient to support their standing to sue.

In the context of emotional harm, a key element for courts when assessing standing to sue seems to be the nature of the data and the level of potential suffering. In Low, the data was anonymized and the plaintiff could not elucidate how he was harmed. In Krottner, the data was highly specific and, though no one’s identity was actually stolen, the anxiety created by the risk (at least according to the court) was significant and supported standing to sue.

In the context of economic harm, plaintiffs have not yet prevailed on the argument that their personal information has value to them, and, in turn, unauthorized use of such information imposes a financial injury. Plaintiffs’ lawyers will continue to advance this theory, however. A complaint filed November 16 in the Eastern District of New York alleging harm from unauthorized “flash cookies” includes such a claim of financial harm. The plaintiff argued that the personal (though not personally identifiable) information on their browsing habits is what consumers “pay” in order to receive free services. When that information is taken without permission, consumers are denied the ability to get “more” for their “payment” and are thus harmed economically. Because the defendant in this lawsuit, Metacafe, has offered to settle this suit, the plaintiff’s theory of harm won’t be tested in court.

A looser, more pliable definition of harm for online privacy-related suits could be devastating for the internet economy and truly injure consumers. The need to provide the type of supposed value-for-value exchanges for one’s online information would require costly technical and business-method changes. Such litigation-driven changes would eventually convert free online services into pay-based models.

If consumers decide that the multitude of self-help mechanisms companies make available for online privacy protection are not enough, then they should seek change from their elected officials, not from the judiciary. Judges should maintain their resolve, and apply a standard of “injury” that keeps lawyer-driven class action privacy suits from harming the very consumers on whose behalf they are filed.